Deploy from ECR in staging #276
Conversation
davemcorwin
changed the title
| @@ -6,6 +6,7 @@ applications: | |||
| instances: 0 | |||
| docker: | |||
| image: ((image)) | |||
| username: AKIAWNYQRJFGHBAWM5MI | |||
There was a problem hiding this comment.
should we put this in a circleci env variable?
There was a problem hiding this comment.
we can, we don't have to. Per prior, unrelated convos in Slack, the account key is NOT secret
There was a problem hiding this comment.
ok ... good to know ... ideally, i'd prefer it in circleci env vars
There was a problem hiding this comment.
It's also part of the ECR repository URL so I'd have to string concat with the env var in multiple places as well... no it doesn't, I was thinking of the account id...
There was a problem hiding this comment.
Another reason for leaving it is I can still use the same deploy script since I don't need to pass it as an extra CL parameter. That said, this won't be an issue when both staging and prod are updated, let's revisit.
Updated to use ECR for staging.
A single ECR "repository" named
federalist/garden-buildhas been configured in GovCloudus-gov-west-1(441879447884) to store our images. For now, I am tagging the imagesstagingandproduction(eventually) for the appropriate environments to minimize the disruption to our current workflow. At some point, we can modify our process to version the images and perhaps turn on "tag immutability" on the ECR "repository" to enforce this which allow us to ensure that the same image tested in staging is the one actually promoted to production.I have configured individual and attempted least-privileged read (
federalist-ecr-read) and write (federalist-ecr-write) IAM users/policies that have appropriate access to ALL ECR "repositories" for this account (we currently only have the one). The "read" user is used when deploying the image to cloud.gov which is apparently cached by the platform so the image can be refetched during restarts and restages.